Answer ten yes-or-no questions about your information security program and get an instant readiness indicator. Everything runs in your browser: nothing is submitted, stored, or shared. This is a readiness indicator, not a compliance determination or legal advice.
Self-Assessment
Ten Questions on the Core Requirements.
Answer honestly. If you are not sure, that usually means the safeguard is not formally in place.
1Have you designated a qualified individual responsible for your information security program?The Safeguards Rule requires a single accountable person to oversee the program.
2Do you have a written information security program (WISP) that is current and maintained?A documented program covering administrative, technical, and physical safeguards.
3Have you completed a written risk assessment in the last 12 months?A documented assessment of the risks to customer information.
4Is multi-factor authentication enforced on every system that holds customer information?MFA is explicitly required for access to systems with customer data.
5Is customer information encrypted both at rest and in transit?Encryption, or an approved compensating control, is required for customer data.
6Do you limit and review who has access to customer information?Access should be restricted to what each role actually needs, and reviewed periodically.
7Do you have continuous monitoring or regular penetration testing and vulnerability scanning in place?Ongoing monitoring, or annual pen tests plus twice-yearly vulnerability scans.
8Do you have a written incident response plan?A documented plan for responding to a security event affecting customer information.
9Do you assess and oversee the security of the vendors who touch your customer data?Service providers must be selected and monitored for adequate safeguards.
10Do your staff receive regular security awareness training?Personnel must be trained and kept current on security practices.
What Comes Next
From Assessment to a Managed Program.
However you scored, the path forward is the same shape: document what exists, close the gaps, and keep the program current so it holds up under an audit or an underwriter review.
A written information security program (WISP) mapped to your business.
The technical safeguards the rule requires: MFA, encryption, access control, and monitoring.
A designated qualified individual and a documented risk assessment.
Evidence you can hand to an auditor, a client, or a cyber-insurance underwriter.